Cultivating Security, 2012 Roger Hagedorn, Cultivating Security Security Initiatives Here and Down Under
Jun 29, 2015
Cultivating Security, 2012
Roger Hagedorn, Cultivating Security
Security Initiatives Here and Down Under
Cultivating Security, 2012
Quick Discussion Question: What do you think of when it comes to information security?
[audience participation time]
Cultivating Security, 2012
One thing to keep in mind:
In the world of information security,
CIA = Confidentiality, Integrity and Availability
Though sometimes it refers to a certain government agency.
Cultivating Security, 2012
What do we mean by Information Security?
“the processes and methodologies designed to protect print, electronic, or any other forms of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption.”
SANS Institute
“Preservation of confidentiality, integrity and availability of information.”
ISO 27000
Cultivating Security, 2012
Are there any models or standards for Information Security that might be helpful?
I thought you’d never ask. . .
Cultivating Security, 2012
• NIST 800-53 + National Institute of Standards and Tech.
• FISMA = Federal Information Security Management Act
• DIACAP = DoD Information Assurance Certification and Accreditation Process
• SOX = Sarbanes-Oxley Act of 2002
• GLBA = or Gramm-Leach-Bliley Act
• PCI-DSS = Payment Card Industry Data Security Standard
• NERC = North American Electric Reliability Corporation
• CIP = Certified IRBProfessional
• ISO 27000 Series = Int’l Org. for Standardization
• HITECH Act of 2009
There’s no shortage of standards to consider:
Cultivating Security, 2012
Confused?
Overwhelmed?
These standards are complex and difficult to implement.
Nevertheless . . .
Cultivating Security, 2012
While there might not be consensus on the issue, there is an increasing recognition that every organization needs to have a strategy for defense.
Organizations are learning to assess their information security risks, and then to implement appropriate information security controls based on their needs, and using guidance and suggestions where relevant.
Cultivating Security, 2012
With so many standards, where should a person begin?
Cultivating Security, 2012
“A lot of times, enterprises just don’t know where and how, or what to do. Where’s the next dollar best spent?”
“This is about priority.”
Tony Sager, former head of the NSA’s Systems & Network Attack Center, now with the SANS Institute
Cultivating Security, 2012
Here’s where our government, along with the Australian government, offer surprisingly helpful examples.
Cultivating Security, 2012
First, one more quick definition:
Security controls are safeguards designed to avoid, counteract or minimize risks.
Cultivating Security, 2012
Recent Events in the History of Controls:
Starting in 2008, the Office of the Secretary of Defense asked the NSA for help with its cybersecurity posture. NSA was brought in because of their understanding of how cyber attacks worked and because the DoD was interested in fending off actual attacks rather than developing a theoretical approach to security.
Cultivating Security, 2012
Since the early 2000s, the NSA had been working on a list of security controls that were most effective in stopping known attacks.
The key: “no control should be made a priority unless it could be shown to stop or mitigate a known attack.”
Cultivating Security, 2012
The second key: NSA was already working on collaboration with two nonprofit organizations:
The SANS Institute — a cooperative research and education organization, “the most trusted and by far the largest source of information security training and security certification in the world.
The Center for Internet Security — “works on enhancing cyber security readiness and response of public and private sector entities.”
Cultivating Security, 2012
Eventually, more than 100 public and private organizations joined in, as well as a few companies involved in incident response, including McAfee and Mandiant.
The two main elements:1) The only justification for a control was actual attack
information. 2) The feeling among the participants that they were
active contributors to protecting the country.
Cultivating Security, 2012
The clear consensus:
Just 20 Critical Controls could address the most prevalent attacks that government, industry, and the private sector face.
Cultivating Security, 2012
The test:
The Department of State put the 20 Critical Controls up against the 3,085 attacks it underwent in 2009.
Cultivating Security, 2012
The Results:
More than 88% reduction in attacks on vulnerabilities.
Cultivating Security, 2012
On Nov 05 of this year, a new international consortium was launched to help government agencies and the private sector prioritize security defenses. Called the Consortium for CyberSecurity Action (CCA), it bases its recommendations on the most recent update of the 20 Critical Controls.
Cultivating Security, 2012
Spoiler Alert:
Most of these controls are standard procedure or “Best Practices” in network administration.Chances are that you’ve implemented many of them yourself.There really shouldn’t be any surprise here.
OK then, here we go . . .
Cultivating Security, 2012
The Main Event: the 20 Critical Controls
1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on all devices: mobile, laptops, workstatons, servers
4 Continuous Vulnerability Assessment and Remediation
Cultivating Security, 2012
5 Malware defenses
6 Application Software Security
7 Wireless Device Control
8 Data Recovery Capability
9 Security Skills Assessment and Training to Fill Gaps
10 Secure Configurations for Network Devices
11 Limitation and Control of Network Ports, Protocols and Services
Cultivating Security, 2012
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance, Monitoring and Analysis of Audit Logs
15 Controlled Access Based on Need-to-Know
16 Account Monitoring and Control
17 Data Loss Prevention
Cultivating Security, 2012
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
Cultivating Security, 2012
So what about Implementation?
In a mature environment, chances are you already have most, if not all, of these 20 Critical Controls in place.
But what about smaller organizations? You can make concrete, measurable steps in improving your networks by putting into place, over time, some or most (if not all) of these controls. Yes it takes time, but it pays off. Remember:
Cultivating Security, 2012
Keep your eye on the prize:
The State Department saw a
reduction of more than 88% in attacks on their systems in the first year.
Cultivating Security, 2012
So what about those Australians Down Under?
Independently of the research we’ve discussed, the Australians developed a list of the Top 35 Mitigation Strategies that they present in order of overall effectiveness.
Like the 20 Critical Controls, these rankings are based on DSD’s analysis of reported security incidents and detected vulnerabilities.
Cultivating Security, 2012
For the sake of time, let’s just consider the Top Four Controls or Mitigating Strategies:
• Use application whitelisting to help prevent malicious software and other unapproved programs from running
• Patch applications such as PDF readers, Java, and web browsers
• Patch operating systems vulnerabilities• Minimize the number of users with administrative
privileges
Cultivating Security, 2012
According to the DSD’s Strategies to Mitigate Targeted Cyber Intrusions,
over 85% of cyber intrusions could be defeated
if organizations implemented just the first four of these strategies.
Cultivating Security, 2012
These two initiatives provide clear examples of what’s meant by “Defense in Depth”
Defense in depth is the concept of protecting a computer network with a series of defensive mechanisms suchthat if one mechanism fails, another will already be in place to thwart an attack.
SANS Institute
Cultivating Security, 2012
Thanks very much for your attention.
Any questions or commnt?
Q and ARoger Hagedorn
Email: [email protected]: www.cultivatingsecurity.com
Cultivating Security, 2012
Resources
The 20 Controlshttp://www.sans.org/critical-security-controls/
The Australian Government’s 35 Controlshttp://www.dsd.gov.au/infosec/top35mitigationstrategies.htm
The Center for Internet Securityhttp://www.cisecurity.org